HR Impersonation via E-sign Agreement Comment

type.inbound
and length(attachments) == 0

// Legitimate Docusign sending infratructure
and (
  sender.email.domain.root_domain in (
    'docusign.net',
    'docusign.com',
    'hellosign.com'
  )
  // docusing.com as a reply-to is used in updates to documents, such as views, signs, etc
  and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
  // check for SPF or DMARC passed
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)

// HR Impersonation in body
and regex.icontains(body.current_thread.text,
                    (
                      '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
                    )
)

// Request and Urgency
and (
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
    )
    or any(ml.nlu_classifier(body.current_thread.text).entities,
           .name in ("urgency", "financial")
    )
  )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
  or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
)

//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//

 // reply-to address has never sent an email to the org
and beta.profile.by_reply_to().prevalence == "new"

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// Negate legitimate HR docusigns originating from within the org
and not (all(headers.reply_to, .email.domain.root_domain in $org_domains))

// Negate replies
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)